Skip to content

varlock: adopt shared local imports and ignore generated audit noise #339

Description

@WalksWithASwagger

Context

Rafiki has a tracked core schema and passing runtime proof. It now needs the shared local import convention from WalksWithASwagger/kk-agents#23 and a clearer boundary between active source code and generated output. The shared MCP launcher change is owned separately by WalksWithASwagger/kk-agents.

Acceptance Criteria

  • Import only approved reusable values through the shared convention with allowMissing=true.
  • Keep provider- and app-specific declarations in Rafiki's schema.
  • Ensure Varlock audit/scan guidance excludes generated output and other non-source artifacts.
  • Do not add a provider contract based only on a generated one-off artifact.
  • Update repo agent instructions to use Varlock for secret-dependent commands.
  • Add focused redacted load/run/scan coverage with the optional shared source present and absent.

Tests/Evals

  • Existing test, package, and doctor checks remain green.
  • The root schema loads when the optional local source is absent.
  • Scan/audit evidence is limited to active source and committed contracts.

Verification

npm test
npm run pack:check
npm run doctor
git diff --check

Also run redacted varlock load --agent --show-all, varlock scan, and a no-op varlock run --inject vars -- ....

Agent Instructions

  • Work from a clean worktree based on origin/main.
  • Follow WalksWithASwagger/kk-agents#23.
  • Inspect committed source, schema, tests, and docs only.
  • Do not read or move real values.
  • Do not edit the user-level MCP launcher in this repository.

Out of Scope

  • Shared launcher implementation.
  • Real credential migration.
  • Adding contracts for generated one-off outputs.
  • Cloud or production changes.

Metadata

Metadata

Assignees

No one assigned

    Labels

    agent:readyIssue passed intake quality and is ready for an agent attempt.configurationConfiguration and environment setupsecuritySecurity and secrets managementtype:taskImplementation task

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions